CI plugin policy

Prisma Cloud lets you centrally define your CI policy in Console in
Defend > Compliance > Containers and images > CI
. These policies establish security gates at build-time. Use policies to pass or fail builds, and surface security issues early during the development process.
There are two types of policies you can use to target your CI tool: vulnerability policies and compliance policies. CI rules have the same parameters as the rules for registries and deployed components, letting you evenly enforce policy in all phases of the app lifecycle.
Prisma Cloud offers the following components for integrating with CI tools:
  • A native Jenkins plugin.
  • A stand-alone, statically compiled binary, called twistcli, that can be integrated with any CI tool.

Vulnerability policy

For more information about the parameters in vulnerability management rules, see here.
Vulnerability rules that target the build tool can allow specific vulnerabilities by creating an exception and setting the effect to 'ignore'. Block them by creating an exception and setting hte effect to 'fail'. For example, you could create a vulnerability rule that explicitly allows CVE-2018-1234 to suppress warnings in the scan results.
Rules take effect as soon as they are saved.

Compliance policy

Prisma Cloud’s compliance checks are based on the Center for Internet Security (CIS) Docker Benchmarks. We also provide numerous checks from our lab. You can also implement your own checks using custom checks.
Compliance rules that target the CI tool can permit specific compliance issues by setting the action to 'ignore'.
Rules take effect as soon as they are saved.